diff options
| author | Vladimir A Filonov <vladimir@labbler.com> | 2013-02-23 15:07:21 +0100 |
|---|---|---|
| committer | Aymeric Augustin <aymeric.augustin@m4x.org> | 2013-02-23 16:16:39 +0100 |
| commit | f49e9a517f2fdc1d9ed7ac841ace77636cbd6747 (patch) | |
| tree | 412736a26abc5b88aeac224820be51c381cef2e7 /docs | |
| parent | a61dbd62193d036d082fdad4d1af3b48ebec4fb3 (diff) | |
Fixed #17906 - Autoescaping {% cycle %} and {% firstof %} templatetags.
This commit adds "future" version of these two tags with auto-escaping
enabled.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/internals/deprecation.txt | 4 | ||||
| -rw-r--r-- | docs/ref/templates/builtins.txt | 55 | ||||
| -rw-r--r-- | docs/releases/1.6.txt | 28 |
3 files changed, 75 insertions, 12 deletions
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt index 50b9aa3c19..ef9fd31d15 100644 --- a/docs/internals/deprecation.txt +++ b/docs/internals/deprecation.txt @@ -323,6 +323,10 @@ these changes. 1.8 --- +* The :ttag:`cycle` and :ttag:`firstof` template tags will auto-escape their + arguments. In 1.6 and 1.7, this behavior is provided by the version of these + tags in the ``future`` template tag library. + * The ``SEND_BROKEN_LINK_EMAILS`` setting will be removed. Add the :class:`django.middleware.common.BrokenLinkEmailsMiddleware` middleware to your :setting:`MIDDLEWARE_CLASSES` setting instead. diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index cfc57cc551..149a557356 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -147,9 +147,8 @@ You can use any number of values in a ``{% cycle %}`` tag, separated by spaces. Values enclosed in single (``'``) or double quotes (``"``) are treated as string literals, while values without quotes are treated as template variables. -Note that the variables included in the cycle will not be escaped. -This is because template tags do not escape their content. Any HTML or -Javascript code contained in the printed variable will be rendered +Note that currently the variables included in the cycle will not be escaped. +Any HTML or Javascript code contained in the printed variable will be rendered as-is, which could potentially lead to security issues. For backwards compatibility, the ``{% cycle %}`` tag supports the much inferior @@ -190,6 +189,22 @@ call to ``{% cycle %}`` doesn't specify silent:: {% cycle 'row1' 'row2' as rowcolors silent %} {% cycle rowcolors %} +.. versionchanged:: 1.6 + +To improve safety, future versions of ``cycle`` will automatically escape +their output. You're encouraged to activate this behavior by loading +``cycle`` from the ``future`` template library:: + + {% load cycle from future %} + +When using the ``future`` version, you can disable auto-escaping with:: + + {% for o in some_list %} + <tr class="{% autoescape off %}{% cycle rowvalue1 rowvalue2 %}{% endautoescape %}"> + ... + </tr> + {% endfor %} + .. templatetag:: debug debug @@ -257,28 +272,44 @@ This is equivalent to:: {% if var1 %} {{ var1|safe }} - {% else %}{% if var2 %} + {% elif var2 %} {{ var2|safe }} - {% else %}{% if var3 %} + {% elif var3 %} {{ var3|safe }} - {% endif %}{% endif %}{% endif %} + {% endif %} You can also use a literal string as a fallback value in case all passed variables are False:: {% firstof var1 var2 var3 "fallback value" %} -Note that the variables included in the firstof tag will not be -escaped. This is because template tags do not escape their content. -Any HTML or Javascript code contained in the printed variable will be -rendered as-is, which could potentially lead to security issues. If you -need to escape the variables in the firstof tag, you must do so -explicitly:: +Note that currently the variables included in the firstof tag will not be +escaped. Any HTML or Javascript code contained in the printed variable will be +rendered as-is, which could potentially lead to security issues. If you need +to escape the variables in the firstof tag, you must do so explicitly:: {% filter force_escape %} {% firstof var1 var2 var3 "fallback value" %} {% endfilter %} +.. versionchanged:: 1.6 + +To improve safety, future versions of ``firstof`` will automatically escape +their output. You're encouraged to activate this behavior by loading +``firstof`` from the ``future`` template library:: + + {% load firstof from future %} + +When using the ``future`` version, you can disable auto-escaping with:: + + {% autoescape off %} + {% firstof var1 var2 var3 "<strong>fallback value</strong>" %} + {% endautoescape %} + +Or if only some variables should be escaped, you can use:: + + {% firstof var1 var2|safe var3 "<strong>fallback value</strong>"|safe %} + .. templatetag:: for for diff --git a/docs/releases/1.6.txt b/docs/releases/1.6.txt index 67c032a362..ce1e643946 100644 --- a/docs/releases/1.6.txt +++ b/docs/releases/1.6.txt @@ -160,6 +160,34 @@ Backwards incompatible changes in 1.6 Features deprecated in 1.6 ========================== +Changes to :ttag:`cycle` and :ttag:`firstof` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The template system generally escapes all variables to avoid XSS attacks. +However, due to an accident of history, the :ttag:`cycle` and :ttag:`firstof` +tags render their arguments as-is. + +Django 1.6 starts a process to correct this inconsistency. The ``future`` +template library provides alternate implementations of :ttag:`cycle` and +:ttag:`firstof` that autoescape their inputs. If you're using these tags, +you're encourage to include the following line at the top of your templates to +enable the new behavior:: + + {% load cycle from future %} + +or:: + + {% load firstof from future %} + +The tags implementing the old behavior have been deprecated, and in Django +1.8, the old behavior will be replaced with the new behavior. To ensure +compatibility with future versions of Django, existing templates should be +modified to use the ``future`` versions. + +If necessary, you can temporarily disable auto-escaping with +:func:`~django.utils.safestring.mark_safe` or :ttag:`{% autoescape off %} +<autoescape>`. + ``SEND_BROKEN_LINK_EMAILS`` setting ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
